---
page_title: "cloudflare_access_rule Resource - Cloudflare"
subcategory: ""
description: |-
  Provides a Cloudflare IP Firewall Access Rule resource. Access
  control can be applied on basis of IP addresses, IP ranges, AS
  numbers or countries.
---

# cloudflare_access_rule (Resource)

Provides a Cloudflare IP Firewall Access Rule resource. Access
control can be applied on basis of IP addresses, IP ranges, AS
numbers or countries.

## Example Usage

```terraform
# Challenge requests coming from known Tor exit nodes.
resource "cloudflare_access_rule" "tor_exit_nodes" {
  zone_id = "0da42c8d2132a9ddaf714f9e7c920711"
  notes   = "Requests coming from known Tor exit nodes"
  mode    = "challenge"
  configuration {
    target = "country"
    value  = "T1"
  }
}

# Allowlist requests coming from Antarctica, but only for single zone.
resource "cloudflare_access_rule" "antarctica" {
  zone_id = "0da42c8d2132a9ddaf714f9e7c920711"
  notes   = "Requests coming from Antarctica"
  mode    = "whitelist"
  configuration {
    target = "country"
    value  = "AQ"
  }
}

# Allowlist office's network IP ranges on all account zones (or other lists of
# resources).
variable "my_office" {
  type    = list(string)
  default = ["192.0.2.0/24", "198.51.100.0/24", "2001:db8::/56"]
}

resource "cloudflare_access_rule" "office_network" {
  account_id = "f037e56e89293a057740de681ac9abbe"
  count      = length(var.my_office)
  notes      = "Requests coming from office network"
  mode       = "whitelist"
  configuration {
    target = "ip_range"
    value  = element(var.my_office, count.index)
  }
}
```
<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `configuration` (Block List, Min: 1, Max: 1) Rule configuration to apply to a matched request. **Modifying this attribute will force creation of a new resource.** (see [below for nested schema](#nestedblock--configuration))
- `mode` (String) The action to apply to a matched request. Available values: `block`, `challenge`, `whitelist`, `js_challenge`, `managed_challenge`.

### Optional

- `account_id` (String) The account identifier to target for the resource. Must provide only one of `account_id`, `zone_id`. **Modifying this attribute will force creation of a new resource.**
- `notes` (String) A personal note about the rule. Typically used as a reminder or explanation for the rule.
- `zone_id` (String) The zone identifier to target for the resource. Must provide only one of `account_id`, `zone_id`. **Modifying this attribute will force creation of a new resource.**

### Read-Only

- `id` (String) The ID of this resource.

<a id="nestedblock--configuration"></a>
### Nested Schema for `configuration`

Required:

- `target` (String) The request property to target. Available values: `ip`, `ip6`, `ip_range`, `asn`, `country`. **Modifying this attribute will force creation of a new resource.**
- `value` (String) The value to target. Depends on target's type. **Modifying this attribute will force creation of a new resource.**

## Import

Import is supported using the following syntax:

```shell
# User level access rule import.
$ terraform import cloudflare_access_rule.default user/<user_id>/<rule_id>

# Zone level access rule import.
$ terraform import cloudflare_access_rule.default zone/<zone_id>/<rule_id>

# Account level access rule import.
$ terraform import cloudflare_access_rule.default account/<account_id>/<rule_id>
```
